Data storage destruction specialist DiskShred has warned UK companies that process credit card transactions – which accounts for almost all SMEs and larger businesses – of plans to dramatically ramp up the security requirements under Version 3 of the PCI DSS rules due later this year.
Developed by the card payments industry in close consultation with the Payment Card Industry (PCI) council, the PCI Data Security Standards (PCI DSS) consists of 12 significant requirements including multiple sub-requirements, which contain numerous directives.
These directives – which apply to most organisations that process payment card transactions – allow businesses to measure their own payment card security policies, procedures and guidelines.
Most experts agree that revision three of the PCI DSS rules will see the scope of the rule’s external audit requirements extended to cover many more companies, as well as impose harsher requirements on all companies who accept credit and debit cards from their customers.
According to Philip McMichael, operations director with DiskShred, this will impose a far more stringent set of security requirements when companies dispose of their data, especially where the IT equipment has reached an end-of-life situation.
“We’ve all heard the horror stories of customer data appearing on the hard drives of computers sold on auction Web sites – resulting in fines from the Information Commissioner’s Office (ICO) under the Data Protection Act.
“Under the PCI DSS rules, if you do not comply with the required standard, you may lose you ability to accept credit and debit cards from your customers – which is arguably far worse than a hefty fine from the ICO,” he says.
“Thankfully we can offer an on-site service that provides a hard drive and data storage device destruction facility that conforms to all necessary governance standards – shredding the data storage down to confetti-sized pieces – and providing a complete compliance audit trail, thanks to on-truck CCTV facilities and staff who are CRB checked on their backgrounds,” he adds.
McMichael, whose firm has been in the IT asset disposal business since 2001, went on to say that DiskShred has the necessary EU accreditations to do what it does – and a few more besides – which is why almost three quarters of its business comes from repeat or client referrals.
And with other legislation – including the aforementioned Data Protection Act – and the Companies Act, imposing increasing levels of data security duty of care on company directors and their senior staff – there is also the spectre of the Government introducing custodial sentences for individuals who breach data protection laws to contend with.
And this, says DiskShred’s operations director, is where his firm’s fully auditable on-site data storage device destruction service can provide a hassle-free way of avoiding corporate angst over breaking the law or required governance standards. It’s also why on-site destruction is essential.
“A company needs to be sure its hard drives definitely made it into the shredder without any ‘en-route diversions’ into the wrong hands,” McMichael says.
“Our observations suggest that no matter how effective the data security and destruction rules within an organisation, the human element will always mean that rules can be deviated from – and corners will be cut. People get tired, become bored and even turn to crime depending on the circumstances.
“This is why we believe that on-site media shredding – to verifiable minimum standards, backed up with criminal background checks on the staff completing the process and CCTV footage to act as the ultimate audit proof.
“Our approach is the only sure-fire way to prove to regulators, the Police and clients, that the data held on your storage devices is gone forever. So whether you have 50 or 5 000 disks to destroy, we can move our trucks on to your site and shred your hardware in front of your eyes.”